1. Home
  2. Amazon
  3. ANS-C01

Amazon ANS-C01 Online Practice Questions and Exam Preparation

ANS-C01 Exam Details

  • Exam Code
    :ANS-C01
  • Exam Name
    :AWS Certified Advanced Networking - Specialty (ANS-C01)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :285 Q&As
  • Last Updated
    :May 24, 2026

Amazon ANS-C01 Online Questions & Answers

  • Question 141:

    A network engineer is evaluating a network setup for a global retail company. The company has an AWS Direct Connect connection between its on-premises data center and the AWS Cloud. The company has AWS resources in the eu-west2 Region. These resources consist of multiple VPCs that are attached to a transit gateway.

    The company recently provisioned a few AWS resources in the eu-central-1. Region in a single VPC close to its users in this area. The network engineer must connect the resources in eu-central-1 with the on-premises data center and the resources in eu-west-2. The solution must minimize changes to the Direct Connect connection.

    What should the network engineer do to meet these requirements?

    A. Create a new virtual private gateway. Attach the new virtual private gateway to the VPC in eu-central-1. Use a transit VIF to connect the VPC and the Direct Connect router.
    B. Create a new transit gateway in eu-central-1. Create a peering attachment request to the transit gateway in eu-west-2. Add a static route in the transit gateway route table in eu-central-1 to point to the transit gateway peering attachment. Accept the peering request. Add a static route in the transit gateway route table in eu-west-2 to point to the new transit gateway peering attachment.
    C. Create a new transit gateway in eu-central-1. Use an AWS Site-to-Site VPN connection to peer both transit gateways. Add a static route in the transit gateway route table in eu-central-1 to point to the transit gateway VPN attachment. Add a static route in the transit gateway route table in eu-west-2 to point to the new transit gateway peering attachment.
    D. Create a new virtual private gateway. Attach the new virtual private gateway to the VPC in eu-central-1. Use a public VIF to connect the VPC and the Direct Connect router.

  • Question 142:

    A company has been using an outdated application layer protocol for communication among applications. The company decides not to use this protocol anymore and must migrate all applications to support a new protocol. The old protocol

    and the new protocol are TCP-based, but the protocols use different port numbers.

    After several months of work, the company has migrated dozens of applications that run on Amazon EC2 instances and in containers. The company believes that all the applications have been migrated, but the company wants to verify this

    belief. A network engineer needs to verify that no application is still using the old protocol.

    Which solution will meet these requirements without causing any downtime?

    A. Use Amazon Inspector and its Network Reachability rules package. Wait until the analysis has finished running to find out which EC2 instances are still listening to the old port.
    B. Enable Amazon GuardDuty. Use the graphical visualizations to filter for traffic that uses the port of the old protocol. Exclude all internet traffic to filter out occasions when the same port is used as an ephemeral port.
    C. Configure VPC flow logs to be delivered into an Amazon S3 bucket. Use Amazon Athena to query the data and to filter for the port number that is used by the old protocol.
    D. Inspect all security groups that are assigned to the EC2 instances that host the applications. Remove the port of the old protocol if that port is in the list of allowed ports. Verify that the applications are operating properly after the port is removed from the security groups.

  • Question 143:

    A company is planning a migration of its critical workloads from an on-premises data center to Amazon EC2 instances. The plan includes a new 10 Gbps AWS Direct Connect dedicated connection from the on-premises data center to a VPC that is attached to a transit gateway. Themigration must occur over encrypted paths between the on-premises data center and the AWS Cloud.

    Which solution will meet these requirements while providing the HIGHEST throughput?

    A. Configure a public VIF on the Direct Connect connection. Configure an AWS Site-to-Site VPN connection to the transit gateway as a VPN attachment.
    B. Configure a transit VIF on the Direct Connect connection. Configure an IPsec VPN connection to an EC2 instance that is running third-party VPN software.
    C. Configure MACsec for the Direct Connect connection. Configure a transit VIF to a Direct Connect gateway that is associated with the transit gateway.
    D. Configure a public VIF on the Direct Connect connection. Configure two AWS Site-to-Site VPN connections to the transit gateway. Enable equal-cost multi-path (ECMP) routing.

  • Question 144:

    A company has multiple AWS accounts. Each account contains one or more VPCs. A new security guideline requires the inspection of all traffic between VPCs.The company has deployed a transit gateway that provides connectivity between

    all VPCs. The company also has deployed a shared services VPC with Amazon EC2 instances that include IDS services for stateful inspection. The EC2 instances are deployed across three AvailabilityZones. The company has set up VPC

    associations and routing on the transit gateway. The company has migrated a few test VPCs to the newsolution for traffic inspection.

    Soon after the configuration of routing, the company receives reports of intermittent connections for traffic that crosses Availability Zones.

    What should a network engineer do to resolve this issue?

    A. Modify the transit gateway VPC attachment on the shared services VPC by enabling cross-Availability Zone load balancing.
    B. Modify the transit gateway VPC attachment on the shared services VPC by enabling appliance mode support.
    C. Modify the transit gateway by selecting VPN equal-cost multi-path (ECMP) routing support.
    D. Modify the transit gateway by selecting multicast support.

  • Question 145:

    A company's network engineer must implement a cloud-based networking environment for a network operations team to centrally manage. Other Teams will use the environment. Each team must be able to deploy infrastructure to the environment and must be able to manage its own resources. The environment must feature IPv4 and IPv6 support and must provide internet connectivity in a dual-stack configuration.

    The company has an organization in AWS Organizations that contains a workload account for the teams. The network engineer creates a new networking account in the organization.

    Which combination of steps should the network engineer take next to meet the requirements? (Choose three.)

    A. Create a new VPC. Associate an IPv4 CIDR block of 10.0.0.0/16 and specify an IPv6 block of 2001:db8:c5a:6000::/56. Provision subnets by assigning /24 IPv4 CIDR blocks and /64 IPv6 CIDR blocks.
    B. Create a new VPC. Associate an IPv4 CIDR block of 10.0.0.0/16 and use an Amazon-provided IPV6 CIDR block. Provision subnets by assigning /24 IPv4 CIDR blocks and /64 IPV6 CIDR blocks.
    C. Enable sharing of resources within the organization by using AWS Resource Access Manager (AWS RAM). Create a resource share in the networking account, select the provisioned subnets, and share the provisioned subnets with the target workload account. Use the workload account to accept the resource share through AWS RAM.
    D. Enable sharing of resources within the organization by using AWS Resource Access Manager (AWS RAM). Create a resource share in the networking account, select the new VPC, and share the new VPC with the target workload account. Use the workload account to accept the resource share through AWS RAM.
    E. Create an internet gateway and an egress-only internal gateway. Deploy NAT gateways to the public subnets. Associate the internet gateway with the new VPC. Update the route tables. Associate the route tables with the relevant subnets.
    F. Create an internet gateway. Deploy NAT instances to public subnets. Update the route tables. Associate the route tables with the relevant subnets.

  • Question 146:

    A team of infrastructure engineers wants to automate the deployment of Application Load Balancer (ALB) components by using the AWS Cloud Development Kit (AWS CDK). The CDK application must deploy an infrastructure stack that is reusable and consistent across multiple environments, AWS Regions, and AWS accounts.

    The lead network architect on the project has already bootstrapped the target accounts. The lead network architect also has deployed core network components such as VPCs and Amazon Route 53 private hosted zones across the multiple environments and Regions. The infrastructure engineers must design the ALB components in the CDK application to use the existing core network components.

    Which combination of steps will meet this requirement with the LEAST manual effort between environment deployments? (Choose two.)

    A. Design the CDK application to read AWS CloudFormation parameters for the values that vary across environments and Regions. Reference these variables in the CDK stack for resources that require the variables.
    B. Design the CDK application to read environment variables that contain account and Region details at runtime. Use these variables as properties of the CDK stack. Use context methods in the CDK stack to retrieve variable values.
    C. Create a dedicated account for shared application services in the multi-account environment. Deploy a CDK pipeline to the dedicated account. Create stages in the pipeline that deploy the CDK application across different environments and Regions.
    D. Write a script that automates the deployment of the CDK application across multiple environments and Regions. Distribute the script to engineers who are working on the project.
    E. Use the CDK toolkit locally to deploy stacks to each environment and Region. Use the --context flag to pass in variables that the CDK application can reference at runtime.

  • Question 147:

    A software-as-a-service (SaaS) provider hosts its solution on Amazon EC2 instances within a VPC in the AWS Cloud. All of the provider's customers also have their environments in the AWS Cloud.

    A recent design meeting revealed that the customers have IP address overlap with the provider's AWS deployment. The customers have stated that they will not share their internal IP addresses and that they do not want to connect to the

    provider's SaaS service over the internet.

    Which combination of steps is part of a solution that meets these requirements? (Choose two.)

    A. Deploy the SaaS service endpoint behind a Network Load Balancer.
    B. Configure an endpoint service, and grant the customers permission to create a connection to the endpoint service.
    C. Deploy the SaaS service endpoint behind an Application Load Balancer.
    D. Configure a VPC peering connection to the customer VPCs. Route traffic through NAT gateways.
    E. Deploy an AWS Transit Gateway, and connect the SaaS VPC to it. Share the transit gateway with the customers. Configure routing on the transit gateway.

  • Question 148:

    A company has an AWS environment that includes multiple VPCs that are connected by a transit gateway. The company has decided to use AWS Site-to-Site VPN to establish connectivity between its on-premises network and its AWS environment.

    The company does not have a static public IP address for its on-premises network. A network engineer must implement a solution to initiate the VPN connection on the AWS side of the connection for traffic from the AWS environment to the on-premises network.

    Which combination of steps should the network engineer take to establish VPN connectivity between the transit gateway and the on-premises network? (Choose three.)

    A. Configure the Site-to-Site VPN tunnel options to use Internet Key Exchange version 1 (IKEv1).
    B. Configure the Site-to-Site VPN tunnel options to use Internet Key Exchange version 2 (IKEv2).
    C. Use a private certificate authority (CA) from AWS Private Certificate Authority to create a certificate.
    D. Use a public certificate authority (CA) from AWS Private Certificate Authority to create a certificate.
    E. Create a customer gateway. Specify the current dynamic IP address of the customer gateway device's external interface.
    F. Create a customer gateway without specifying the IP address of the customer gateway device.

  • Question 149:

    A company has a global network and is using transit gateways to connect AWS Regions together. The company finds that two Amazon EC2 instances in different Regions are unable to communicate with each other. A network engineer needs to troubleshoot this connectivity issue.

    What should the network engineer do to meet this requirement?

    A. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables and in the VPC route tables. Use VPC flow logs to analyze the IP traffic that security group rules and network ACL rules accept or reject in the VPC.
    B. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables. Verify that the VPC route tables are correct. Use AWS Firewall Manager to analyze the IP traffic that security group rules and network ACL rules accept or reject in the VPC.
    C. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables. Verify that the VPC route tables arecorrect. Use VPC flow logs to analyze the IP traffic that security group rules and network ACL rules accept or reject in the VPC.
    D. Use VPC Reachability Analyzer to analyze routes in the transit gateway route tables. Verify that the VPC route tables are correct. Use VPC flow logs to analyze the IP traffic that security group rules and network ACL rules accept or reject in the VPC.

  • Question 150:

    A company has deployed a new web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Amazon EC2 Auto Scaling group. Enterprise customers from around the world will use the application. Employees of these enterprisecustomers will connect to the application over HTTPS from office locations.The company must configure firewalls to allow outbound traffic to only approved IP addresses. The employees of the enterprise customersmust be able to access the application with the least amount of latency.

    Which change should a network engineer make in the infrastructure to meet these requirements?

    A. Create a new Network Load Balancer (NLB). Add the ALB as a target of the NLB.
    B. Create a new Amazon CloudFront distribution. Set the ALB as the distribution's origin.
    C. Create a new accelerator in AWS Global Accelerator. Add the ALB as an accelerator endpoint.
    D. Create a new Amazon Route 53 hosted zone. Create a new record to route traffic to the ALB.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your ANS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.